How do you feel about mandatory 2fa policies?

Especially for personal accounts.

I get why a corporation would require it for employees...

But I hate it when Apple, Samsung, etc. are forcing you to have 2fa, especially by requiring a phone number.

Side note: Bitwarden will be requiring email verification codes starting in February 2025, for those who haven't enabled 2fa yet (see my Post in YSK). Most people store their email credentials in their password vault... so a lot of people are gonna get locked out of their bitwarden vaults. I kinda hate it, especially on such sort notice (less than 10 days).

You're viewing a single thread.

44 comments

In today’s world, MFA (multifactor authentication) is a necessity for literally any account in which you store information you don’t want to be stolen by someone. I’m more upset that several services I use still don’t support it, or only support MFA via text or email, neither of which is secure enough to be of much use.
You don’t want the place where you store your passwords, likely including your bank account, health insurance, social media accounts, etc. to be more difficult to hack? You live in a post-quantum world. Passwords aren’t enough.
- 100% agree with the exception that 2FA over SMS or email needs to die, along with the “magic link” style of signing in.
  Why is everyone so slow to implement FIDO2?
  
  Agreed. But I think it’s evident even in these threads why companies are slow to adopt. Lemmy is still a niche corner of the internet predominantly used by technology savvy people, and yet you see folks here saying that they hate the inconvenience of it. Less tech adept users are more likely to dislike the additional friction.
  
  Maybe I’ve been in the Apple garden too long but Passkeys make this easy enough for any idiot.
  Now if websites would stop prompting for a password and just use passwordless authentication I’d be happy.
  In fact I did this for my own business in one day using Authentik as SSO like three years ago. What’s the holdup?
- This is the correct answer. MFA should be enforced for literally every account you have, and the method should be app-based or a hardware token.
  It turns out that people en masse are lazy and will use the same simple password for all their accounts and then wonder how they got hacked. People in tech for the past 30 years or so struggled with the difference between theory and practice when it came to user psychology, and I am happy that we are finally starting to realize the user psychology aspect and just force them to be secure.

44 comments